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In this paper we study the liveness of several MUTEX solutions by representing them as processes 
in PAFASj, a CCS-like process algebra with a specific operator for modelling non-blocking reading 
behaviours. Verification is carried out using the tool FASE, exploiting a correspondence between 
violations of the liveness property and a special kind of cycles (called catastrophic cycles) in some 
transition system. We also compare our approach with others in the literature. The aim of this paper 
is twofold: on the one hand, we want to demonstrate the applicability of FASE to some concrete, 
meaningful examples; on the other hand, we want to study the impact of introducing non-blocking 
behaviours in modelling concurrent systems. 



1 Introduction 

MUTEX algorithms can exhibit an intricate behaviour and their correctness can be hard to establish, 
because our intuitive notion of the program flow can be misled by the fact that a shared variable may 
change from one statement to the other, even if the process we are tracing does not modify it. There 
are two kinds of properties to verify: the safety property that two competing processes are never in their 
critical sections at the same time, and the liveness property that a requesting process will always enter its 
critical section. The first kind of property can be proven fairly easily because only the static configuration 
of the system at any time must be taken into account. The liveness property is much more difficult to 
prove since it usually requires some fairness assumption. 

In lUl, we have developed the process description language PAFAS, a CCS-like ifTTTl process algebra 
originally introduced as a tool for evaluating the worst-case efficiency of asynchronous systems. Pro- 
cesses are compared via a variant of the testing approach of De Nicola and Hennessy lfl2l where tests 
are test environments (or user behaviours) together with a time bound. A process is embedded into the 
environment (via parallel composition) and satisfies a (timed) test, if success is reached before the time 
bound in every run of the composed system, i.e. even in the worst case. This gives rise to afaster-than 
preorder relation over processes that is naturally an efficiency preorder. In [7] it has been shown that 
the test-based preorder in JH can equivalently be defined on the basis of a performance function that 
gives the worst-case time needed to satisfy any test environment. Whenever the above testing scenario is 
adapted to a setting where tests belong to a very specific, but often occurring, class of request-response 
user behaviours (processes serving these users receive requests via an /^-action and provide responses 
via an owf-action) this performance function is asymptotically linear. This provides us with a quantita- 
tive measure of systems performance that measures how fast the system under consideration responds to 
requests from the environment. In we have also shown how to determine this performance measure 
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for finite-state processes. This result only holds for request-response processes (i.e. processes that can 
only perform in and out as visible actions) that pass certain sanity checks: they must not produce more 
responses than requests, and they must allow requests and provide responses in finite time. While the first 
requirement can easily be read off from the transition system, violation of the latter one is characterised 
as the existence of a special kind of cycles (called catastrophic cycles) in a reduced transition system (we 
remind the reader to [7 ] for the complete description of such a reduction). Finally, a corresponding tool 
FASE that allows the automated evaluation of systems performance function has been developed; see (H 
for a first informal account. 

The notion of timing in PAFAS is strongly related to (weak) fairness of actions which requires that 
an action must be performed whenever it is enabled continuously in a run. We have shown that each 
everlasting (or non-Zeno) timed process execution is fair and vice versa, where fairness is defined in an 
intuitive but complicated way in the spirit of ||9j [TDJl. In fact, we have proven this correspondence for 
fairness of actions and, with a modified notion of timing, for fairness of components. These characteri- 
sations have been used in Q to prove that Dekker's algorithm is live under the assumption of fairness of 
components but not under the assumption of fairness of actions. This result can be improved by means 
of suitable assumptions about the hardware, namely we must assume that reading a value from a storage 
cell is non-blocking; to model this we have introduced specific reading prefixes for PAFAS in [6]. 

Here, we add reading in the form of a read-set prefix {a\,. . . ,a n } oP (the new process description 
language is called PAFAS. S ) which behaves as P but, like a variable or a more complex data structure, can 
also be read with actions in the set {ai, . . . ,«„}. Since being read does not change the state, each action 
<H (i = 1 , . . . ,ri) can be performed repeatedly until the execution of some ordinary action of P . 

A first key property of non-blocking actions is that they have a direct impact on timed behaviour of 
concurrent systems (see the examples at the end of Section [2]). They are also an important feature for 
proving the liveness of MUTEX solutions under the assumption of weak fairness of actions. Indeed, 
one result in (6J shows that Dekker's algorithm is live when assuming fairness of actions, provided we 
regard as non-blocking the reading of a variable as well as its writing in the case that the written value 
equals the current one. It had long been an open problem how to achieve such a result in a process 
algebra (see e.g. |[T3l ). In @ we have also discovered an interesting connection between liveness of 
MUTEX algorithms and catastrophic cycles; we have shown that violations of the liveness property 
can be traced back to catastrophic cycles of a suitably modified process (cf. Section [3]>. Even though 
FASE was originally developed for automatically checking whether a process of (original) PAFAS has a 
catastrophic cycle, it has been recently adapted to a setting with reading actions. This has opened the 
way to check automatically the liveness property for MUTEX algorithms. 

In this paper we use FASE to study the liveness of four MUTEX solutions-Peterson's, Lamport's, 
Dijkstra's and Knuth's algorithms (see lPT3l and references therein)-under the assumption of fairness of 
actions. Our aim is twofold: we want to show the applicability of FASE to concrete, meaningful examples, 
but also to stress the impact of introducing non-blocking actions in PAFAS (and in general in modelling 
concurrent systems). We prove that Peterson is live provided we regard the reading of a variable as a 
non-blocking action. We also show that the liveness of Dijkstra and Knuth cannot be ensured even if (as 
in 0) we consider as non-blocking the reading of a variable and its writing in the case the written value 
equals the current one. With the same assumption on program variables, we finally prove that Lamport 
(which is not symmetric) is live for just one of the two competing processes, i.e. it is not live. 

To even more emphasize the role of non-blocking reading in proving liveness property, we have 
implemented some ideas taken from [13] that describe how fairness can be assumed in a CCS setting in 
order to enable a proof of liveness. At the time of writing, these ideas could not be expressed for the 
use of the Concurrency Workbench [4], but this is now possible within newer tools like the Concurrency 
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Workbench of the New Century . A comparison of the results provided by the two approaches shows 
that the liveness of Dekker's and Peterson's algorithms strongly depends on the liveness of the hardware. 
This is exactly the sort of consideration for which nonlocking actions provide a formal treatment. 

We proceed as follows: In Section [2] we recall PAFAS V , its timed operational semantics and the 
correspondence between fair traces and everlasting timed computations. In Section [3] we introduce the 
four algorithms and provide our results. Finally, in Section [4] we compare our approach with that in |[T3ll . 

2 A process algebra for describing reading behaviours 

PAFAS (8| is a CCS-like process description language ifTTTl (with a TCSP-like parallel composition), 
where actions are atomic and instantaneous, but have associated an upper time bound (either or 1, for 
simplicity) as a maximal delay for their execution. As shown in [|8l, these upper time bounds can be 
used to evaluate efficiency, but they do not influence functionality (which actions are performed); so 
compared with CCS also PAFAS treats the full functionality of asynchronous systems. In @, PAFAS 
has been extended with a new operator > to represent nonlocking behaviour of processes. Intuitively, 
{«!, . . . , CCn} >P models a process like a variable or a more complex data structure that behaves as P 
but can additionally be read with a,\ , . . . , 0^: since being read does not change the state, each action a,- 
can be performed repeatedly without blocking a synchronization partner as described below. We use the 
following notation: A is an infinite set of visible actions; the additional action z represents a internal 
activity, unobservable for other components, and A T = AU {t}. Elements of A are denoted by a,b,c,... 

and those of A T by 0f,/3, Actions in A T can let time 1 pass before their execution, i.e. 1 is their 

maximal delay. After that time, they become urgent actions written a or z; these have maximal delay 0. 

The set of urgent actions is denoted by A T = {a \ a E A} U {z} and is ranged over by a, j8, Elements 

of A T U At w& ranged over by pt and v. We also assume that, for any a E A T , when time elapses a = a. 
X (ranged over by x,y,z, . . .) is the set of process variables, used for recursive definitions. <1> : A T — > A T 
is a general relabelling function if the set {a E A T | ^ <t> 1 (a) ^ {«}} is finite and <S>(t) = z. Such a 
function can also be used to define hiding: P/A, where the actions in A are made internal, is the same as 
where the relabelling function <t> A is defined by <S>a(g5) = z if a E A and 3>a(«) = a if a ^ A. 
Below, initial processes are just processes of a standard process algebra extended with >, while 
general processes are those reachable from the initial ones according to the operational semantics. The 
set Si of initial (timed) process terms P and S of (general) (timed) process terms Q are generated by: 

P ::= nil |x| a.P\ {osi, . . . ,a„}>P | P+P \ P \\ A P | P[&] | recxJ 5 
Q::=P | a.P \ {fii,...,H„}>Q \ Q + Q \Q\\aQ\ Q[&\ 

where nil is a constant, iG i", a S A T , $ is a general relabelling function and AC A possibly 
infinite; {dti , . . . , a n } and {/ii ,...,/!„} are (finite and nonempty) subsets of A T and A T U A T , resp. We 
assume that the latter kind of read-sets can only contain a copy (either lazy or urgent) of each action a, 
i.e. {jJ.\, . . .,iu. n } cannot contain both a and a for any a E A T . By the operational semantics, terms not 
satisfying this property are not reachable from initial ones anyway. A process term is closed if every 
variable x is bound by the corresponding recx-operator; the set of closed timed process terms in P and 
Pi, simply called processes and initial processes resp., is denoted by P and Pi resp. 

nil is the Nil-process: it cannot perform any action but can let time pass without limits. a.P and 
a.P is action-prefixing known from CCS. Process a.P performs a within time 1; i.e. it can perform 
a immediately and evolve to P (as usual in CCS), or let one time unit pass and become a.P. In this 
latter case, a cannot be further delayed (i.e. it must occur or be deactivated) unless a.P has to wait for 
a synchronisation on a / T. Our processes are patient: as a stand-alone process a.P has no reason to 
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wait, but as a component of a larger system, e.g. a.P \\r a \ a. nil, it can wait for a synchronisation on a; this 
can take up to time 1 since component a. nil can idle so long, {/ii ,...,/J, n }>Q can perform actions from 
{/ii , . . . , jll n } without changing state (including urgencies and, hence, the syntax of the term itself), and 
the actions of Q in the same way as Q, i.e. the read-set is removed after such an action. Q\ + Q2 is a non- 
deterministic choice between two conflicting processes Q\ and Q2. Q\ and Q2 run in parallel in Q\ \\aQ2 
and have to synchronize on all actions from A. />[<&] behaves as P but with actions changed according to 
<!>. recx.P models a recursive definition; we often use equations to define recursive processes. 



Functional and temporal behaviour of PAFAS s processes. We first introduce the transitional seman- 
tics describing the functional behaviour of PAFAS S processes, i.e. which actions they can perform. 
Definition 2.1 (functional operational semantics) Let Q G S and a G A T . The SOS-rules defining the 



transition relation — >-C (§x§) (the action transitions) are given in Table 1 1 As usual, we write Q A Q' 



a 



if (Q,Q r ) gA and Q A if there exists ag'sS such that (Q,Q') G— K Similar conventions will apply 

CC 

later on. We also define the set of the activated or enabled actions to be the set of all a such that Q — > . 

Ate {a, a} Qi^Q' 
Pref v SUM S Read,i 



li.p^p Q\ + Qi^Q! {/ii,...,ju„}><2 A- {/ii,...,/i„}><2 

Q^Q' cc^A, Q\ ^> Q\ a e A, gi A Q[, Q 2 A Q' 2 
Read. v2 Par. s i Par j2 



{Mi,...,m»}>GA!2' GilUffe-^GilUCfc Q1IUQ2 ^ Q'ilUQ^ 

q A e' e{re«.GA} A e' 

Rel,. Rec. s 



Table 1 : Functional behaviour of PAFAS. S processes 

Rules in Table [T] are quite standard. Timing can be disregarded in Pref v : when an action is per- 
formed, one cannot see whether it was urgent or not, and thus a.P — > P; furthermore, component a.P 

(X 

has to act within time 1, i.e. it can also act immediately, giving a.P — > P. Rules Read. s i and Read^ 
say that {/^i ,...,/!„}> Q can either repeatedly perform one of its non-blocking actions or evolve as Q. 
Other rules are as expected; symmetric rules have been omitted. Actually, the above SOS-rules describe 
reading in a sensible way only under some syntactic restrictions, cf. [6]. All the example processes we 
consider here meet these restrictions. 

We now define the refusal traces of a term Q G S. Intuitively a refusal trace records, along a computa- 
tion, which actions process Q can perform (Q A £?', a G A T ) and which actions Q can refuse to perform 
when time elapses (Q — > r Q', X C A). Q — > r Q' is called a (partial) time-step. The actions listed in X 
are not urgent; hence Q is justified in not performing them, but performing a time step instead. This time 
step is partial because it can occur only in contexts that can refuse the actions not in X. If X = A then 
Q is fully justified in performing this time-step; i.e., Q can perform it independently of the environment. 
In such a case, we say that Q performs a 1-step written Q A- Q'; moreover we often write Q (the urgent 
version of Q) instead of Q'. To provide the reader with a better intuition we observe that any Q can per- 
form a 1-step whenever it can refuse to perform, because not urgent, all its activated actions. In the next 
definition, % ({/ii, . • • = {cc |jU; = CC for some i G [l,n]} is the set of urgent actions in {jUi, . . . 5i u„}. 

1 We do here without clean and unmark, used e.g. in to get a closer relationship between states of untimed fair runs and 
timed non-Zeno runs. They do not change the behaviour (up to an injective bisimulation) and would complicate the setting. 
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Definition 2.2 (refusal transitional semantics) The SOS-rules in Table |2j define — > r C. (S x S) where 
X C A. 

a^ZUW Qi\Q' ( foii=l,2 
Nil, PREF fl Pref, 2 Sum, 

nil ^> nil a.p\a.P a.P^ r a.P Q\+Qi^rQ\+Q' 2 

q \ q>, % ({mi , . . . ,M) n(xu {t}) = G ^MM ! > > r Ql 
Read, Rel, 

ini , . . . , m„} > q 4 r e[*] ^> 

Gi 0; for i = 1.2.X C (An (X! UX 2 )) U ((X nX 2 )\A) Q{recx.Q/x] 4,. Q' 
Par, Rec, 

eilU<2 2 £ >,<2iiUG2 recx.e4,-e' 

Table 2: Refusal transitional semantics of PAFAS V processes 

Rule Pref,i says that a process a.P can let time pass and can refuse to perform any action, while rule 
Pref,2 says that a process a.P, can let time pass but action a cannot be refused. Process z.P cannot let 
time pass and cannot refuse any action; in any context, z.P has to perform z before time can pass further. 
Rule Par, defines which actions a parallel composition can refuse during a time-step. The intuition is 
that Qi \\aQ2 can refuse an action a if either a A (<2i and Q2 can do a independently) and both Q\ and 
Q2 can refuse a, or a G A (<2i and Q2 are forced to synchronise on a) and at least one of them can refuse 
the action, i.e. can delay it. Thus, an action in a parallel composition is urgent (cannot be further delayed) 
only when all synchronising 'local' actions are urgent. Rule Read, says that {/^i ,...,fi„}>Q can refuse 
the same actions as Q provided these are not urgent in {/^i , . . . , jll n }; moreover, as for the action-prefixing, 
process {/ii ,...,/!„} Q cannot let time pass and cannot refuse any action, whenever one of the urgent 
actions in {/^i, . . . ,pL n } is a z. Other rules are as expected. Again symmetric rules have been omitted. 

In |H, it is shown that inclusion of refusal traces characterises a testing-based faster- than relation that 
compares processes w.r.t. their worst-case efficiency. In this sense, e.g. P = {a} \>b.n\\ is faster than the 
functionally equivalent P' = recx.a.x + b.n\\, since only the latter has the refusal traces la(la)*. After 
la, P' returns to itself (recursion unfolding creates fresh a and b); intuitively, b is disabled during the 
occurrence of a, so a and also b can be delayed again. In contrast, after a 1-step and any number of a's, P 
turns into {a} >b.n\\ and no further 1-step is possible; read actions do not block or delay other activities, 
they make processes faster. If a models the reading of a value stored by P or P' and two parallel processes 
want to read it, this should take at most time 1 in a setting with non-blocking reads. And indeed, whereas 
P ||/ a } (a. nil H0 ez.nil) has the refusal trace lala, this behaviour is not possible for -P||{ a } (a. nil H^a.nil) 
since, when performing la, this evolves into e.g. {a} o^.nil ||r a i (nil Hoa.nil), and then 1 is not possible. 

Another application of refusal traces is the modelling of weak fairness of actions. Weak fairness 
requires that an action must be performed whenever continuously enabled in a run. Thus, a run from P 
above with infinitely many a's is not fair; the read action does not block b or change the state, so the 
same b is always enabled but never performed. In contrast, if P' performs a, a fresh b is created; in 
conformance to 0, a run from P' with infinitely many a's is fair. In [6], generalising [5], fair traces 
for PAFAS S are first defined in an intuitive, but very complex fashion in the spirit of (9J OH and then 
characterised: they are the sequences of visible actions occurring in transition sequences with infinitely 
many 1-steps. Due to lack of space, we cannot properly formulate this as a theorem, but take it as a 
definition of fair traces instead. With this, infinitely many a's are a fair trace of P' since it can repeat 
la indefinitely, but the fair traces of finite-state P are those that end with b. We use this definition of fair 
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traces to study liveness property of MUTEX solutions we consider in the next section. 



For request-response processes the transition system (built according to Def. 2. 1 and 2.2 1 must be 
reduced as described in |7 ] ; a cycle in the resulting system is catastrophic if it contains (at least) one time 
step but no in- or ow?-transition. 



3 Liveness property of MUTEX algorithms 

In this section we use the approach of |6] to study the liveness of four different MUTEX solutions: 
Peterson's, Lamport's, Dijkstra's and Knuth's algorithm. We first translate the algorithms into PAFAS 4 
and then use FASE to automatically decide whether each of them is live or not. Negative results are 
discussed by means of counterexamples, i.e. fair violating traces which are built from catastrophic cycles 
detected with FASE. The results of this section are collected in Table[3] 



Peterson's algorithm There are two processes Pi and P2, two Boolean- valued variables b\ and b%, 
whose initial value is false, and a variable k, which takes values in {1,2} and whose initial value is 
arbitrary. The bi variables are "request" variables and k is a "turn" variable: bi is true if P,- is requesting 
entry to its critical section and k is i if it is P,'s turn to enter its critical section. Only P, writes bj, but both 
processes read it. Process P,- (with i = 1,2) is described as follows; j is the index of the other process: 

PetersonQ 

1 while true 

2 do (non-critical section) ; 

3 bi <— true; k <— j; 

4 while bj and k = j do skip; 

5 (critical section) ; 

6 bj <— false; 

In our translation of the algorithm into PAFAS S , we use essentially the same coding as Walker in |[T3ll . 
Each variable is represented as a family of processes. For example, the process Bi(f) denotes the variable 
b\ with value false. The sort of Bi (f) (i.e. the set of actions it can ever perform) is \b\rj \b\rt,b\wf \b\wt} 
Unlike lPT3l . we model the actions that correspond to the reading of a variable (e.g. b\rt and b2rt) as non- 
blocking. Below, we let B = {/,?} and K = {1,2}. 

Definition 3.1 (Peterson's algorithm) Let i £ {1,2}. Program variables are represented as follows: 
B i (f) = {b i rf}> {b iW f. Bi if) + b{wt. Btit)) K (1) = {krl } > {kwl .K( 1 ) + kw2. K(2)) 

B,(f) = {b i rt}>(biWt.B i (t) + b i wf.B i (f)) K(2) = {kr2} > (kwl.K(l) +kw2.K(2)) 

Given bi,b 2 G B, k £ K, we define PV(bi,b2,k) = (Bi(ii) ||b 62(62)) ||«K(it). Processes Pi and P 2 are 
represented by the following PAFAS S processes: the actions req ( - and cs,- indicate the request to enter and 
the execution of the critical section by the process P,. 

Pi = reqj.&iwf.&H^.Pn +X.P\ P2 = req 2 -i>2Wt .kw 1 .P21 +T.P2 
Pu = b 2 rf.Pi3 + b 2 rt.Pn Pn = b x rf .Pn+bxrt.Pn 

Pyx = krl.Px 1 + krl .P 13 P 22 = krl .P 2 \ + kr2.P 23 

Pi 3 = csi.biwf.Pi P23 = cs2.b2wf.P2 

Since no process should be forced to request by the fairness assumption, p has the alternative of an 
internal move, i.e. staying in its non-critical section. Peterson's algorithm is defined to be the PAFAS5 
process Peterson = ((Pi H0P2) ||b PV (/",/, l))/fi; here (and in the following) B is the set of all actions 
except req ( - and cs,- (i =1,2). A MUTEX algorithm like Peterson's satisfies liveness if, in every fair 
trace, each req ( - is eventually followed by the respective cs,. 
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We now show how to modify the process Peterson such that it is live under the assumption of fairness 
of actions iff the modified process, that we call Peterson !0 , does not have catastrophic cycles. Observe 
that FASE only accepts request-response behaviours (having only in and out as visible actions) as input 
and, hence, it cannot be applied directly. Moreover, Peterson can perform a 1-step followed by the 



two internal actions of Pi and P2 (see Def. 3.1 1 giving a catastrophic cycle which is not relevant for the 
liveness property. So, we modify Peterson as follows: we first change reqj and csi into t's and req 2 and 
CS2 into in and out, resp.; we finally delete the T summand of Pi. As in [0 (see Theorem 8.20), we can 
prove that Peterson,,, does not have catastrophic cycles iff each request from process P2 will eventually 
be satisfied along fair traces, i.e. iff Peterson is live for process P2 under the assumption of fairness of 
actions. The liveness of Peterson follows by the symmetry of the algorithm. In case of non-symmetric 
algorithms, as e.g. Lamport, the liveness for processes Pi and P2 must be proven separately. Since FASE 
has shown that Peterson,,, does not have catastrophic cycles, our first result is: 

Proposition 3.2 Peterson is live under the assumption of fairness of actions. 

We now consider Peterson', a slightly different specification of Peterson where all actions - including the 
reading of program variables - are ordinary actions. E.g., in this version, we define B,-(f) = birf.Biif) + 



bi\yf.Bi(f) +b(Wt.Bi(t). Then, Peterson' can be defined as in Def. 3.1 

Proposition 3.3 Peterson' is not live under the assumption of fairness of actions. 

Proof: FASE shows that Peterson - has catastrophic cycles as, e.g., those in the next examples. 



□ 



The following example shows a timed computation along which both processes Pi and P2 get stuck 
after a request. To ease understanding, we leave the actions on program variables visible, i.e. we consider 
a timed computation of P = (Pi H0P2) \\b PV(/,/, 1). Indeed, by the operational semantics, we know that 
P behaves as Peterson' as long as we rename actions in B with z. We will proceed in this fashion later 
on in this section. Furthermore, we write PV(?,f, 1) and PV(/,f, 1) to abbreviate (Bi (?) 1 1 @ 6 2 (0) lie K(l) 
and (61 (?) ||a 62(f)) ||b K(l), resp. In general, we underline a value to denote the urgent version of the 
PAFAS s process that represents the corresponding variable. 

Example 3.4 Consider the following timed computation from P. 



p 


= (AH 


0P 2 )|| B PV(f/ ) l) 


reqj bywtkw2 req 2 b^wtkwl 




(Pn 


| P2i)||bPV(m,1) 


b^rth •irt 


R 


= (Pn 


| P22)||bPV(m,1) 


1 

— > 


R 


= (Pn 


|0P 22 )||bPV(m,1) 






(Pn 


|0P 2 i)|| b PV(U,1) 


b\rt^ 


Q 


= (Pn 


|0P 22 )||bPV(/,£,1) 


\R 



Process R can only perform krl as a synchronisation between K(l) and either P12 or P22; after the first 
1-step, this action becomes urgent. Once in R, we perform krl and K(l) evolves into K(l) which can 
delay krl. As a consequence, Q can refuse to perform krl and, since this is its only activated action, 

re re 2 

Q — > R. The execution sequence Peterson' = P/B l - — ► R/B — > R/B ...is fair but not live since 



2 The proof of Theorem 8.2 we provide in |6| is partly independent from the specific algorithm we were analysing, i.e. 
Dekker's algorithm, and it can be easily adapted to all the algorithms we consider in this paper. From now on, we freely use 
the correspondence between liveness and catastrophic cycles without explicitly proving it. In the following, if P is a PAFAS. S 
process that models a given MUTEX solution, we write P/ to denote the process we obtain by changing P as Peterson. 
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x- 1 

no process will ever enter the critical section; R/B — ► Q/B — > R/B corresponds to a catastrophic cycle 
in the reduced transition system of Peterson- . 

This example describes a scenario where process Pi will never move because process P 2 repeatedly 
reads variables k and b\. There is another fair run where Pi, reading variable b 2 , can repeatedly delay 
and, thus, indefinitely block P2 that wants to write it. On the contrary, the representation of program 



variables we use in Def. 3.1 ensures the liveness of the hardware under the assumption of fairness of 



actions; namely, it ensures that no process can be indefinitely blocked by infinite reading. 



Lamport's algorithm There are n > 2 processes and n Boolean- valued variables bi (i = l ... n), each 
with initial value false; only P, writes bj, but all the processes can read it. The i-th process is described 
below: 

Lamport() 

1 var j : integer; 

2 while true 



3 do (non-critical section) ; 

4 bi <— true; 

5 for j <— 1 to ; — 1 

6 do if bj 

7 then bi <— false; 

8 while bj do skip; 

9 goto 4; 

10 for j «- i+l ton 

11 do while bj do skip; 

12 (critical section) ; 

13 bi <— false; 



Now we provide the PAFASj specification in case of n = 2 processes. 

Definition 3.5 {Lamport's algorithm) Again we first define the family of PAFAS s processes representing 
the program variables. Let Bj(f) = {brf ,btwf} > b(Wt .B,(f) and B,-(?) = {birt,b(Wt}>biwf.Bi(f) where 
i G {1,2}. We also define PV(b u b 2 ) = Bi(6i) ||o B 2 (b 2 ) where b h b 2 € B. 
Processes Pi and P2 are represented by: 

Pi = req l .biwt.P n +T.P\ P 2 = req 2 .b 2 wt.P 2 i +T.P 2 

P\ 1 = b 2 rf.P n + b 2 rt.P x 1 P 2 i = bi rf.P 23 + by rt.b 2 wf.P 22 

P\ 2 = csi.b\wf.Pi P 22 = b\rf '.b 2 wt.P 2 \ + b\rt.P 22 

P23 = cs 2 .b 2 wf.P 2 
Finally Lamport = ((A || P 2 ) || B PV(f,/))/B. 

Note that now we regard as non-blocking not only the reading of a variable but also its writing in case 
that the written value equals the current one. This kind of re-write does not change the state of the 
variable and can be thought of as a non-destructive or non-consuming operation (allowing potential 
concurrent behaviour). This way of accessing a variable is not new. It has been implemented e.g. in area 
of database. Unlike in Peterson's specification, we make this assumption on the hardware to show that 
Lamport's algorithm is not live with respect to P 2 : 

Proposition 3.6 If we assume fairness of actions, Lamport is live for process Pi but not for process P 2 . 

Proof: Lamport is not live for ? 2 because Lamport ;o has catastrophic cycles. To prove the other state- 
ment, we need symmetric changes; namely, we rename actions req t and csi into in and out resp. and 
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actions req 2 and CS2 into t; we also delete the T-summand of process Pi. Since this modified process 
does not have catastrophic cycles, we conclude that Lamport is live for process Pi. □ 



Prop. 3.6 still holds if we use the same representation of program variables as in Def. |3.1| while 



we lose liveness for Pi whenever processes representing program variables are those used for Peterson'. 
Then, while reading variable b\, process P2 can forever block the other process that wants to write it. 
The next example explains why Lamport is not live for process P2. 

Example 3.7 The following timed computation corresponds to an execution sequence from La m port = 
L/B which is fair but not live since process P2 never enters its critical section. 

L = (AHfft)IUPV(tt) 

(hwt.Pn\Ub 2 wt.P 21 )\\ B PV(f,f) b -^U 

11 , „ \ 11 // „\ brwt b\rt bowf 

(Pn\Wb2Wt.P2i)\\ B PV(t,f) - — - — 
R = (PnhP22)\\BPV(tj) \ 

R = (gnl|0^2)ll B PV(f,/) 

(PdMhPVifJ) req ' fclt ^ 2r/ ) 

Q = (Pn UP22) HfiPVfo/) ^R 

R can do either a csi- or a &ir?-action (due to a synchronisation between P22 and Bi(?)); both actions 
become urgent after the first 1-step. Later, we perform csi followed by b\wf (and, hence, Bi (?) evolves 

into Bi (/)) which, in turn, is followed by reqj and b\wt. At this stage, Bi if) becomes B 1 (?) and Q can 

9 

refuse to perform its activated actions, again csi and b\rt, and evolve into R. Finally, R/B > 

Q/B R/B corresponds to a catastrophic cycle in the reduced transition system of Lamport ((r A key 
observation here is that process Pi, along this cycle, continuously changes the value of b\ from true to 
false and vice versa. Consequently, the PAFAS^ process representing this variable always offers a new 
instance of b\rf and b\rt to its synchronisation partners, and in particular to /°22- So, any possible move 
of process P2 can be arbitrarily delayed (and, hence, this process can indefinitely be blocked) even in fair 
traces. No reasonable assumption about program variables can prevent this unwanted behaviour under 
weak fairness. 

Dijkstra's algorithm This algorithm considers n > 2 processes that share two Boolean-valued arrays 
b and c (whose components are initialised to true) and a turn variable k initially chosen in {1,2, ... ,n}. 
The i-th process is described below: 
Dijkstra() 

1 var j : integer; 

2 while true 

3 do (non-critical section) ; 

4 b[i] -i— false; 

5 iSk^i 

6 then c[i] true; 

1 if b[k] then& /; 

8 goto 5; 

9 else c[i] ^— false; 

10 for «— 1 to n 

11 do if j / i and ->c[j] then goto 5; 
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12 (critical section) ; 

13 c[i] true; 

14 b[i) <— true; 

Again we provide the PAFAS S representation in case ofn = 2 processes. 



Definition 3.8 {Dijkstra's algorithm) Components of the array b are represented by processes Bj(f) and 
B,(/) (i = 1,2) in Def. |3.5| The other shared variables are defined similarly. Let i = 1,2, bi,Cj € B, 
and k G K; as usual, PV '(bi,b2,c\,C2,k) denotes the parallel composition of all program variables. Its 
definition is as expected and, hence, omitted. Processes Pi and P2 are instead given below: 



Pl- 


= req^biwf.Pu + T.P1 


P2-- 


= req2.b2wf.P21 + T.P2 


Pu 


= krl.P l5 + kr2.ciwt.Pn 


Pn 


= kr2.P25 + krl.c2wt.P22 


P12 


= get.(krl.P u +kr2.P 14 ) 


P22 


= get . (kr2.P 23 + krl .P 24 ) 


Pl3 


= b\rt.put.kwl.P\i +b\rf '.put .P\\ 


P23 


= b2rt.put.kw2.P21 + b2rf.put.P2\ 


Pu 


= b2rt.put.kwl.Pw -\-b2ij .put .P\\ 


P24 


= b\rt.put.kw2.P2\ + b\rf.put.P2\ 


Pl5 


= ciwf.(c 2 rf.Pn+C2rt.Pi 6 ) 


P25 


= C2wf.(cirf.P 2 i+cirt.P 2 6) 


Pl6 


= cs\. c\wt.b\wt.P\ 


P26 


= cs2-C2wt.b2wt.P2 



Dijkstra's algorithm is defined as Dijkstra = (((Pi || P 2 ) \\{ g et, P ut}^) ||s PV(f,f,f,f, 1))/(BU {get, put}) 
where BK = get. put. BK. 

As in ifTBl we must ensure that whenever, during the execution of the statement "if b[k] then k <— i", 
process P, has read variable k but not yet b[k], the other process cannot change the value of the former 
variable. Note that BK locks the variable k in writing mode when evaluating b[k]. Indeed, after a get- 
action, k can be written only after a subsequent put -action, i.e. once b[k] has been read. 

As other papers in the literature (see e.g. (II), we cannot prove the liveness of the algorithrrj^] In case 
A; is 1, process Pi can immediately enter its critical section (after setting £>[1] to false, both conditions k ^ 1 
and ->c[2] are false), while process P2 has to wait until b[l] becomes true (i.e. until Pi ends its critical 
section) and, hence, it can change k. If Pi is fast enough to perform its critical section, reset variables c[l] 
and b[l], and submit a further request (again, by setting b[l] to false) before P2 can actually read b[l], 
the latter process can never enter its critical section. This scenario is fair and, hence, admissible; see e.g. 
in HI where Dijkstra is analysed by exploiting the model checker SMV ([1] and references therein). The 
fairness notion assumed in [ 1 ] ensures that each process executes infinitely often and that no process can 
stay in its critical or non-critical section forever. The next example shows that the above scenario is also 
admissible if one assumes fairness of actions and introduces reasonable non-blocking behaviours. 



Example 3.9 Let us consider the following timed computation: 



Paper [ 1 1 studies the liveness of the same algorithms we consider here except for Lamport. In (T| it has been proven that 
Peterson and Knuth are live, but Dijkstra is not. 
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D 



R 
R 



Q 



{get , P u t }BK)\\ B PV(f,t,t,t,l) 

{get, put} 

BK)\\ B PV(f,t,f,t,V 



(Pl\UP2)\\{ g et,p U t}BK)\\ B Py(t,t,t,t,l) 

(As Heft) 
(fte Heft) 

(fte Ikfti) || { ^,^} BK) || B PV(f,f,f,t, 1) 
(fte [|oft 2 ) || {M} BK) || B PV(f,f,f,t, 1) 
(fte ||eft4) H^^pitf.BK) || B PV(f,f,f,t, 1) 
(fte llefti) || {4etJwf} £irf.BK) || B PV (f,f,f,t, 1) 
(ft ||0ft4)||{^, pMf }^-BK)|| B PV(?,/,f,?,l) 
(fts Hofti) ||{^, pH r}^-BK) || B PV(f,f,t,t,l) 
(fte Hofti) ||{^ fjPt 4^.BK) || B PV(f,f,f,t,l) 



req[ b\\vf krl 



req 2 62"-/ 



CSl ClW( foiWf 



req[ b\wf krl 



C\wf C2ft 



R 



csj T req, T 1 

Along the cycle R/B > Q/B — > P/P, the process Pi repeatedly changes the value of b\ 



from false to true and vice versa. As in Example |3 .7 1 this means that it can block forever process P2. 
Proposition 3.10 Dijkstra is not live under the assumption of fairness of actions. 



Knuth's algorithm There are two processes Pi and P2, two variables c\ and c 2 that take values in 
{0, 1,2} and whose initial value is 0, and a turn variable k that takes values in {1,2} and whose initial 
value is arbitrary. Process Pi (i = 1,2) is described as follows, where j is the index of the other process: 
Knuth() 

1 while true 

2 do (non-critical section) ; 
c t <- 1; 

if k = i then goto 6; 
if cj ^ Othen goto 4; 

Ci <- 2; 



3 
4 
5 
6 
7 
8 
9 
10 
11 



if cj = 2 then goto 3; 

k i; 

(critical section) ; 
d <- 0; 



Definition 3.11 (Knuth's algorithm) The turn variable k is given in Def. 3.1 and modelled according to 



Def. 3.8 Variables c\ and c 2 are represented as follows, where i = 1,2: 

Q(0) = {c i rO,c i wO}>(c i wl.C i (l) + c i w2.C i (2)) 
Q(l) = {c i rl,c i wl}>(c i w0.C i (0) + c/w2.Q(2)) 
Q(2) = {c i r2,Ciw2}>(c i wO.C i (0) + c i wl.Ci(l)) 

Let ci,C2 G {0,1,2} and leK. We let P\/(c\ : c 2 ,k) to be the parallel composition of all program 
variables. Moreover, processes Pi and P2 are defined as follows: 

Pi = reqj.c/wl.Pn +T.P1 P2 = req 2 .C2wl.P2i +T.P2 

Pi 1 = krl .P13 + kr2.P n P21 = kr2.P 23 + krl .P 22 

P12 =c 2 rO.P u +c 2 rl.Pn +c 2 r2.P n P 22 = c 1 rO.P 23 + Cl r\.P 2l + C] r2.P 2l 

Pi 3 = c;w2.Pi4 P23 = c 2 w2.P 24 
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P 14 = c 2 r0.P l5 + c 2 rl.P 15 +c 2 r2.P l6 ^24 = c ]r 0.P 25 + cjrl.P 25 +cjr2.P 26 
P15 = kwl.cs\.kw2.ciwO.P\ P25 = kw2.cs2-kwl.c2wO.P2 

Pl6 = cjwl.Pu P26 = c 2 w\.P 2 i 

We define Knuth = ((A \\ a P 2 ) \\ B PV(0,0, l))/B. 

We now provide an example that shows the existence of a catastrophic cycle in the reduced transition 



system of the modified Knuth. This example also implies Prop. 3.13 



Example 3.12 Let us consider the following timed computation: 



K = 


(Pl\ 


P 2 )||bPV(O,O,1) 


req 2 C2W1 




(Pl\ 




B PV(0,1,1) 


krl Cir0c2w2^ 




(Pl\ 


0P24) | 


b PV(0,2,1) 


reqj cjw\ 




(Pn 


0A4) 


||bPV(1,2,1) 


krlci w2 


R = 


(Pu 


0-P24) 


|| B PV(2,2,1) 


1 

— > 


R = 


(Pu 


\UP24) 


|| B PV(2,2,1) 


Qr2 




(Pie 


H0A4) 


|| B PV(2,2,1) 


ciwl krl ciw2^ 


Q = 


(Pu 


II0A4) 


|| B PV(2,2,1) 


1 

— > 



R 

Once in R, process Pi cannot enter its critical section because C2 is 2; but, the value of this variable 
will never change because P2 is blocked. Moreover, as in Examples 3.7 and |3.9| repeated changes of 
variable c\ (from 2 to 1 and vice versa) allows a further 1-step in Q. The execution sequence Knuth = 

> R/B — y R/B ... is fair but not live since process P2 never enters its critical section. 



req 2 T req 9 T 



K/B 

Let us finally notice that Knuth is live e.g. in flU since the above execution sequence is not fair as defined 
there, and hence not admissible, because process P2 does not execute infinitely often. 



Proposition 3.13 Knuth is not live under the assumption of fairness of actions. 



4 Related works and Conclusion 

This work partly originates from fOl where Walker aimed at verifying six MUTEX algorithms with 
the Concurrency Workbench [4] (CWB, for short). Walker translated the algorithms into CCS and then 
verified the safety property that the two competing processes are never in their critical sections at the 
same time. Regarding the liveness property, Walker first considered the following interpretation - which 
could be expressed as a modal mu-calculus formula and then checked with the CWB: 

An algorithm is live if whenever at some point in a computation the process P; requests the execution of its 
critical section, then in any continuation from that point in which between them the processes execute an 
infinite number of critical sections, P; performs its critical section at least once. 

The fairness (or progress) assumption assumed here is that infinitely often a critical section is entered. 
This assumption allows a run where one process enters its critical section repeatedly, while the other 
one requests the execution of its critical section, but then - for no good reason at all - refuses to take 
the necessary steps to actually enter it. So, it may be no surprising that four of the six algorithms 
(Dekker, Dijkstra, Lamport and Hyman) fail to satisfy this property. Moreover, in order to economize 
on computational effort, the six algorithms in [13] have been minimized w.r.t. weak bisimulation. This 
allowed Walker to ignore some T-loops that could invalidate the liveness property. And, indeed, all of 
them are not live whenever the formula expressing the first interpretation of liveness is evaluated over 
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CWBNC FASE CWBNC FASE CWBNC FASE 



Dekker 


X 


/ 


Peterson 


X 


/ Knuth 


X 


X 


Dijkstm 


X 


X 


Lamport 


X 


X 







Table 3: Liveness of MUTEX solutions: CWBNC vs. FASE. 



the transition system that does not abstract from t's. By examining process P,-, it is clear that these T- 
loops arise, e.g. in Peterson, from repeated reading and writing of variables by the same process. This is 
common to all the algorithms and it is not introduced by the translation into CCS (or in PAFAS). Rather 
its presence reflects the faithfulness of the translation itself. 

Then, Walker considered the same liveness property we study in Section [3] To establish that any 
of the algorithms is live under this second interpretation, Walker added some assumption. Indeed, one 
characteristic of the T-loops arising from repeated reading and writing of variables by one process is 
that the other one is excluded from an infinite computation of the system. It is natural to ask if only the 
presence of such 'unfair' loops prevents any of the algorithms from being live. So, Walker proposed 
to use enriched formulas of the form F => P where P is the property of interest (i.e. liveness) and F 
is a fairness assumption that assumes as admissible only those paths to which each process contributes 
infinitely often. Even if at the time of writing no automated analysis was possible, Walker discussed 
how fairness could be assumed. The basic idea is to tag each action with a unique probe or label; then, 
we can say the i-th process P, contributes infinitely often to a computation whenever none of its probes 
is continuously possible from a certain point on. Finally, the liveness under this fairness assumption 
is expressed by letting Kj be the set of all probes of P, and defining FairLive = FairLive\ A FairLive2 
where FairLivei = {AaeKj GF[a] false) G((reqj)true F(cSi)true), and the operators G (always), 
F (future), () (possibly) and [] (necessarily) are standard modal logics operators. 

This fairness induced with probes is closely related to fairness of actions as it has been defined 
in 10 [10]]. W.r.t. our characterisation (cf. Section [2]), the main difference is that, instead of time and 
time passing, probes are used to decide whenever an action is continuously enabled along a computation 
and, hence, must be performed eventually. To allow a comparison, we have implemented these ideas 
within the Concurrency Workbench of the New Century (CWBNC, for short) that, unlike CWB, can 
handle modal formulas with fairness constrains. To be able to attach a probe to each process action, 
the algorithms have been translated into Timed CCS (this is not possible by using the standard CCS 
language); probes are introduced by annotating synchronisation actions or t's. For instance, the i-th 
processes of Peterson can be defined as follows: 

P = biwt(reqi) .kwj(ai) .Pn Pa = krj(ai).P n + kri(ai) .P a 

P n = b j rf{b i ).P a +b j rt(b i ).Pa Pq = cs^crO-WC**)^ 
Note that two consecutive actions (as, e.g., b(Wt and kwj in Pi) never have the same label. Moreover, 
since the overall number of labels impacts on the computational effort (see below), we also try to reduce 
the number of labels we use. For example, we can reuse a, to label the actions of Pa because none of its 
actions is adiacent to kwj and this action has already been executed once Pa is reached. 

Whenever an action is performed, the corresponding label becomes visiW^j and can be used as a 
probe in FairLive. Table[3]shows that all the algorithms we consider are not live according to this second 
liveness interpretation (also in this setting, Lamport is live for process Pi but not for P2). As an example, 
consider a path from Peterson along which the first process reaches Pn = b2rf{b\).P\j, + b2rt(b\).P\2, 



4 E.g., if Pi synchronises with B/(/") on the execution of £>,vvf, the label @req { becomes visible; similarly, whenever process 
Pi executes cs,- we get the label @cs,-. 
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CWBNC 


FASE 




CWBNC 


FASE 


CWBNC 


FASE 


Dekker 


103125 


119 


Peterson 


4844 


34 Knuth 


110391 


166 


Dijkstm 


1 10797 


647 


Lamport 


1734 


22 







Table 4: Execution time (expressed in milliseconds): CWBNC vs. FASE 



bi is true and k is 2. Once in such a state, process Pi can read Z?2 and k and come back to P\\. Along 
this cycle, no probe of Pi is continuously possible (probes b\ and a\ are alternately possible) but csi will 
never be performed. So, FairLive\ is false and Peterson is not live. As in Example |3.4| there is a path 
along which a process can be indefinitely blocked by repeated reading. Also in this setting, the liveness 
of the algorithm strongly depends on the liveness of the hardware, i.e. on the the possibility of making 
some behaviours non-blocking. 

As a further counter-check, we again consider Peterson but now we tag its actions in such a way that 
the same probe is associated to all the actions that appear along consecutive reading (trying to simulate 
the intuition behind non-blocking behaviours). So, let us replace Pq with Pa = krj(bj).Pj\ + kri(bi) .Pq. 
Now, whenever in P\\ and assuming &2 and k equal to true and 2, the process Pi can still repeatedly 
read variables &2 and k, but the corresponding path is not fair because probe b\ is continuously possible. 
With these probes, Peterson and Dekker turn out to be live. So, probes can be used to somehow simulate 
non-blocking actions. But they must be added and (whenever necessary) tuned by the user by hand. This 
task is subject to errors and wrong assumptions that would give erroneous results. On the contrary, FASE 
can be more easily used by also a non-expert user that has only to decide whether (and, in case, which) 
non-blocking behaviours are necessary. In our opinion, the use of probes requires a deeper knowledge 
of the problem and much more attention in both modelling and analysis phases. 

Another difference between the two approaches deals with performance issues. In Table [4] we report 
the execution time of both FASE and CWB-NC to perform the analysis on the algorithms discussed in this 
paper. In particular, in Q an efficient algorithm for detecting catastrophic cycles has been proposed 
and implemented. This works in time 0(N + E) where N and E are, resp., the number of nodes and 
edges of the state space of the process. On the contrary, CWBNC uses an on-the-fly model checking 
algorithm whose complexity is exponential in the size of the formula (see 0); in our case, this size 
strongly depends on the number of probes. 

FASE is a good first step towards the creation of an integrated framework for the analysis of concurrent 
systems. The improvements introduced by the tool (and, in particular, the possibility to easily check non- 
functional properties such as liveness) allows us to derive results - as those in this paper - very hard to 
prove by hand. Since these results are very promising, we are currently planning to extend FASE in order 
to improve the analysis of more complex systems with a larger state space. 
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